Cloud identity reached a throttling API rate

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Network Denial of Service (T1498)

Severity

Informational

Description

A cloud identity has executed a high volume of API calls, causing a throttling error.

Attacker's Goals

Abuse cloud resource, such behavior is usually seen during a cryptocurrency attacks.

Investigative actions

  • Check the identity created resources and its legitimacy.
  • Look for any unusual behavior originated from the suspected identity.

Variations

Cloud identity reached a highly unusual throttling API rate

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Network Denial of Service (T1498)

Severity

Low

Description

A cloud identity has executed a high volume of API calls, causing a throttling error.
This indicates on a high volume of cloud instances allocation, such activity may be related to a cryptocurrency attack.

Attacker's Goals

Abuse cloud resource, such behavior is usually seen during a cryptocurrency attacks.

Investigative actions

  • Check the identity created resources and its legitimacy.
  • Look for any unusual behavior originated from the suspected identity.


Cloud identity reached an unusual throttling API rate in the cloud project

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Network Denial of Service (T1498)

Severity

Informational

Description

A cloud identity has executed a high volume of API calls, causing a throttling error.
This API rate is unusual on the project level.

Attacker's Goals

Abuse cloud resource, such behavior is usually seen during a cryptocurrency attacks.

Investigative actions

  • Check the identity created resources and its legitimacy.
  • Look for any unusual behavior originated from the suspected identity.


Cloud identity reached an unusual throttling API rate

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Network Denial of Service (T1498)

Severity

Informational

Description

A cloud identity has executed a high volume of API calls, causing a throttling error.
This activity is unusual for the cloud identity, and was not seen in the last 30 days.

Attacker's Goals

Abuse cloud resource, such behavior is usually seen during a cryptocurrency attacks.

Investigative actions

  • Check the identity created resources and its legitimacy.
  • Look for any unusual behavior originated from the suspected identity.